<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.0">
<script src="https://cdn.jsdelivr.net/gh/stevenjoezhang/live2d-widget@latest/autoload.js"></script>
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/picture/pika.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/picture/pika.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">
  <meta name="baidu-site-verification" content="code-LqqDM3vffE">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.css">


  <script>
  (function(i,s,o,g,r,a,m){i["DaoVoiceObject"]=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;a.charset="utf-8";m.parentNode.insertBefore(a,m)})(window,document,"script",('https:' == document.location.protocol ? 'https:' : 'http:') + "//widget.daovoice.io/widget/2efd5eff.js","daovoice")
  daovoice('init', {
    app_id: "2efd5eff"
  });
  daovoice('update');
  </script>


<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"notspr.com","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":"mac"},"back2top":{"enable":true,"sidebar":true,"scrollpercent":true},"bookmark":{"enable":true,"color":"#ff7600","save":"auto"},"fancybox":true,"mediumzoom":false,"lazyload":true,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":false,"async":true,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="前言 在之前《HTTP 与 HTTPS 的区别》中，对比了HTTP&#x2F;HTTPS的不同，以及HTTP&#x2F;HTTPS是如何TCP握手的，那么HTTPS为什么是安全的？ 超文本传输协议HTTP协议被用于在Web浏览器和网站服务器之间传递信息，HTTP协议以明文方式发送内容，不提供任何方式的数据加密，如果攻击者截取了Web浏览器和网站服务器之间的传输报文，就可以直接读懂其中的信息，因此，HTTP协议不适合">
<meta property="og:type" content="article">
<meta property="og:title" content="HTTPS 为什么是安全的">
<meta property="og:url" content="https://notspr.com/2019/12/15/why-https-security/index.html">
<meta property="og:site_name" content="Sapphire">
<meta property="og:description" content="前言 在之前《HTTP 与 HTTPS 的区别》中，对比了HTTP&#x2F;HTTPS的不同，以及HTTP&#x2F;HTTPS是如何TCP握手的，那么HTTPS为什么是安全的？ 超文本传输协议HTTP协议被用于在Web浏览器和网站服务器之间传递信息，HTTP协议以明文方式发送内容，不提供任何方式的数据加密，如果攻击者截取了Web浏览器和网站服务器之间的传输报文，就可以直接读懂其中的信息，因此，HTTP协议不适合">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/osi-7layers.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-1.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-2.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-3.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-4.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-5.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-6.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-7.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-8.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-9.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-10.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-11.png">
<meta property="og:image" content="https://notspr.com/2019/12/15/why-https-security/why-https-security-12.png">
<meta property="article:published_time" content="2019-12-14T16:18:01.000Z">
<meta property="article:modified_time" content="2020-12-03T16:24:14.739Z">
<meta property="article:author" content="Ryan Shu">
<meta property="article:tag" content="HTTP&#x2F;HTTPS">
<meta property="article:tag" content="传输协议">
<meta property="article:tag" content="SSL">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://notspr.com/2019/12/15/why-https-security/osi-7layers.png">

<link rel="canonical" href="https://notspr.com/2019/12/15/why-https-security/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>HTTPS 为什么是安全的 | Sapphire</title>
  


  <script data-pjax>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?2907d577c8c6c2f7fe3843736d24280d";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

  <!--pjax：防止跳转页面音乐暂停-->
  <script src="https://cdn.jsdelivr.net/npm/pjax@0.2.8/pjax.js"></script>
<link rel="alternate" href="/atom.xml" title="Sapphire" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Sapphire</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">興趣使然的博客</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/aboutme/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签<span class="badge">82</span></a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类<span class="badge">34</span></a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档<span class="badge">40</span></a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="reading-progress-bar"></div>
  <a role="button" class="book-mark-link book-mark-link-fixed"></a>

  <a href="https://github.com/sususama5555" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://notspr.com/2019/12/15/why-https-security/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/picture/avatar.jpg">
      <meta itemprop="name" content="Ryan Shu">
      <meta itemprop="description" content="全栈 | 硬件 | 篮球 | 游戏">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Sapphire">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          HTTPS 为什么是安全的
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2019-12-15 00:18:01" itemprop="dateCreated datePublished" datetime="2019-12-15T00:18:01+08:00">2019-12-15</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/" itemprop="url" rel="index"><span itemprop="name">计算机网络</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/HTTP/" itemprop="url" rel="index"><span itemprop="name">HTTP</span></a>
                </span>
            </span>

          <br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>3k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>3 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <blockquote>
<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2></blockquote>
<p>在之前《HTTP 与 HTTPS 的区别》中，对比了<code>HTTP/HTTPS</code>的不同，以及<code>HTTP/HTTPS</code>是如何<code>TCP</code>握手的，那么HTTPS为什么是安全的？</p>
<p>超文本传输协议HTTP协议被用于在Web浏览器和网站服务器之间传递信息，HTTP协议以明文方式发送内容，不提供任何方式的数据加密，如果攻击者截取了Web浏览器和网站服务器之间的传输报文，就可以直接读懂其中的信息，因此，HTTP协议不适合传输一些敏感信息。</p>
<p>为了解决HTTP协议的这一缺陷，需要使用另一种协议：安全套接字层超文本传输协议HTTPS，为了数据传输的安全，HTTPS在HTTP的基础上加入了<code>SSL</code>协议，SSL依靠证书来验证服务器的身份，并为浏览器和服务器之间的通信加密。</p>
<h2 id="HTTP-协议"><a href="#HTTP-协议" class="headerlink" title="HTTP 协议"></a>HTTP 协议</h2><p>在谈论 HTTPS 协议之前，先来回顾一下 HTTP 协议的概念。</p>
<h3 id="HTTP-协议介绍"><a href="#HTTP-协议介绍" class="headerlink" title="HTTP 协议介绍"></a>HTTP 协议介绍</h3><p>HTTP 协议是一种基于文本的传输协议，它位于 OSI 网络模型中的<strong><code>应用层</code></strong>。</p>
<img data-src="/2019/12/15/why-https-security/osi-7layers.png" class>

<a id="more"></a>

<p>HTTP 协议是通过客户端和服务器的请求应答来进行通讯，目前协议由之前的 <a href="https://tools.ietf.org/html/rfc2616" target="_blank" rel="noopener">RFC 2616</a> 拆分成立六个单独的协议说明（<a href="https://tools.ietf.org/html/rfc7230" target="_blank" rel="noopener">RFC 7230</a>、<a href="https://tools.ietf.org/html/rfc7231" target="_blank" rel="noopener">RFC 7231</a>、<a href="https://tools.ietf.org/html/rfc7232" target="_blank" rel="noopener">RFC 7232</a>、<a href="https://tools.ietf.org/html/rfc7233" target="_blank" rel="noopener">RFC 7233</a>、<a href="https://tools.ietf.org/html/rfc7234" target="_blank" rel="noopener">RFC 7234</a>、<a href="https://tools.ietf.org/html/rfc7235" target="_blank" rel="noopener">RFC 7235</a>），通讯报文如下：</p>
<ul>
<li>请求</li>
</ul>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">http://www.baidu.com</span> HTTP/1.1</span><br><span class="line"><span class="attribute">Host</span>: www.baidu.com</span><br><span class="line"><span class="attribute">Connection</span>: keep-alive</span><br><span class="line"><span class="attribute">Content-Length</span>: 7</span><br><span class="line"><span class="attribute">User-Agent</span>: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36</span><br><span class="line"></span><br><span class="line">wd=HTTP</span><br></pre></td></tr></table></figure>

<ul>
<li>响应</li>
</ul>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">HTTP/1.1 <span class="number">200</span> OK</span><br><span class="line"><span class="attribute">Connection</span>: Keep-Alive</span><br><span class="line"><span class="attribute">Content-Encoding</span>: gzip</span><br><span class="line"><span class="attribute">Content-Type</span>: text/html;charset=utf-8</span><br><span class="line"><span class="attribute">Date</span>: Thu, 14 Feb 2019 07:23:49 GMT</span><br><span class="line"><span class="attribute">Transfer-Encoding</span>: chunked</span><br><span class="line"></span><br><span class="line">&lt;html&gt;...&lt;/html&gt;</span><br></pre></td></tr></table></figure>

<!--more-->

<h3 id="HTTP-中间人攻击"><a href="#HTTP-中间人攻击" class="headerlink" title="HTTP 中间人攻击"></a>HTTP 中间人攻击</h3><p>HTTP 协议使用起来确实非常的方便，但是它存在一个致命的缺点：<code>不安全</code>。</p>
<p>我们知道 HTTP 协议中的报文都是以明文的方式进行传输，不做任何加密，这样会导致什么问题呢？下面来举个例子：</p>
<ol>
<li>小明在 JAVA 贴吧发帖，内容为<code>我爱JAVA</code>：<img data-src="/2019/12/15/why-https-security/why-https-security-1.png" class></li>
<li>被中间人进行攻击，内容修改为<code>我爱PHP</code><img data-src="/2019/12/15/why-https-security/why-https-security-2.png" class></li>
<li>小明被群嘲(手动狗头)</li>
</ol>
<p>可以看到在 HTTP 传输过程中，中间人能看到并且修改 HTTP 通讯中所有的请求和响应内容，所以使用 HTTP 是非常的不安全的。</p>
<h3 id="防止中间人攻击"><a href="#防止中间人攻击" class="headerlink" title="防止中间人攻击"></a>防止中间人攻击</h3><p>这个时候可能就有人想到了，既然内容是明文那我使用<code>对称加密</code>的方式将报文加密这样中间人不就看不到明文了吗，于是如下改造：</p>
<ol>
<li>双方约定加密方式<img data-src="/2019/12/15/why-https-security/why-https-security-3.png" class></li>
<li>使用 AES 加密报文<img data-src="/2019/12/15/why-https-security/why-https-security-4.png" class>

</li>
</ol>
<p>这样看似中间人获取不到明文信息了，但其实在通讯过程中还是会以明文的方式暴露加密方式和秘钥，如果第一次通信被拦截到了，那么秘钥就会泄露给中间人，中间人仍然可以解密后续的通信：</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-5.png" class>

<p>那么对于这种情况，我们肯定就会考虑能不能将秘钥进行加密不让中间人看到呢？答案是有的，采用<code>非对称加密</code>，我们可以通过 RSA 算法来实现。</p>
<p>在约定加密方式的时候由服务器生成一对<code>公私钥</code>，服务器将<code>公钥</code>返回给客户端，客户端本地生成一串秘钥(<code>AES_KEY</code>)用于<code>对称加密</code>，并通过服务器发送的<code>公钥</code>进行加密得到(<code>AES_KEY_SECRET</code>)，之后返回给服务端，服务端通过<code>私钥</code>将客户端发送的<code>AES_KEY_SECRET</code>进行解密得到<code>AEK_KEY</code>,最后客户端和服务器通过<code>AEK_KEY</code>进行报文的加密通讯，改造如下：</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-6.png" class>

<p>可以看到这种情况下中间人是窃取不到用于<code>AES加密</code>的秘钥，所以对于后续的通讯是肯定无法进行解密了，那么这样做就是绝对安全了吗？</p>
<p>所谓道高一尺魔高一丈，中间人为了对应这种加密方法又想出了一个新的破解方案，既然拿不到<code>AES_KEY</code>，那我就把自己模拟成一个客户端和服务器端的结合体，在<code>用户-&gt;中间人</code>的过程中中间人模拟服务器的行为，这样可以拿到用户请求的明文，在<code>中间人-&gt;服务器</code>的过程中中间人模拟客户端行为，这样可以拿到服务器响应的明文，以此来进行中间人攻击：</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-7.png" class>

<p>这一次通信再次被中间人截获，中间人自己也伪造了一对公私钥，并将公钥发送给用户以此来窃取客户端生成的<code>AES_KEY</code>，在拿到<code>AES_KEY</code>之后就能轻松的进行解密了。</p>
<p>中间人这样为所欲为，就没有办法制裁下吗，当然有啊，接下来我们看看 HTTPS 是怎么解决通讯安全问题的。</p>
<h2 id="HTTPS-协议"><a href="#HTTPS-协议" class="headerlink" title="HTTPS 协议"></a>HTTPS 协议</h2><h3 id="HTTPS-简介"><a href="#HTTPS-简介" class="headerlink" title="HTTPS 简介"></a>HTTPS 简介</h3><p>HTTPS 其实是<code>SSL</code>+<code>HTTP</code>的简称,当然现在<code>SSL</code>基本已经被<code>TLS</code>取代了，不过接下来我们还是统一以<code>SSL</code>作为简称，<code>SSL</code>协议其实不止是应用在<code>HTTP</code>协议上，还在应用在各种应用层协议上，例如：<code>FTP</code>、<code>WebSocket</code>。</p>
<p>其实<code>SSL</code>协议大致就和上一节<code>非对称加密</code>的性质一样，握手的过程中主要也是为了交换秘钥，然后再通讯过程中使用<code>对称加密</code>进行通讯，大概流程如下：</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-8.png" class>

<p>这里我只是画了个示意图，其实真正的 SSL 握手会比这个复杂的多，但是性质还是差不多，而且我们这里需要关注的重点在于 HTTPS 是如何防止中间人攻击的。</p>
<p>通过上图可以观察到，服务器是通过 SSL 证书来传递<code>公钥</code>，客户端会对 SSL 证书进行验证，其中证书认证体系就是确保<code>SSL</code>安全的关键，接下来我们就来讲解下<code>CA 认证体系</code>，看看它是如何防止中间人攻击的。</p>
<h3 id="CA-认证体系"><a href="#CA-认证体系" class="headerlink" title="CA 认证体系"></a>CA 认证体系</h3><p>上一节我们看到客户端需要对服务器返回的 SSL 证书进行校验，那么客户端是如何校验服务器 SSL 证书的安全性呢。</p>
<ul>
<li><p>权威认证机构<br>在 CA 认证体系中，所有的证书都是由权威机构来颁发，而权威机构的 CA 证书都是已经在操作系统中内置的，我们把这些证书称之为<code>CA根证书</code>：</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-9.png" class>
</li>
<li><p>签发证书</p>
<p>我们的应用服务器如果想要使用 SSL 的话，需要通过权威认证机构来签发<code>CA证书</code>，我们将服务器生成的公钥和站点相关信息发送给<code>CA签发机构</code>，再由<code>CA签发机构</code>通过服务器发送的相关信息用<code>CA签发机构</code>进行加签，由此得到我们应用服务器的证书，证书会对应的生成证书内容的<code>签名</code>，并将该<code>签名</code>使用<code>CA签发机构</code>的私钥进行加密得到<code>证书指纹</code>，并且与上级证书生成关系链。<br>这里我们把百度的证书下载下来看看：</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-10.png" class>
<img data-src="/2019/12/15/why-https-security/why-https-security-11.png" class>

<p>可以看到百度是受信于<code>GlobalSign G2</code>，同样的<code>GlobalSign G2</code>是受信于<code>GlobalSign R1</code>，当客户端(浏览器)做证书校验时，会一级一级的向上做检查，直到最后的<code>根证书</code>，如果没有问题说明<code>服务器证书</code>是可以被信任的。</p>
</li>
<li><p>如何验证服务器证书<br>那么客户端(浏览器)又是如何对<code>服务器证书</code>做校验的呢，首先会通过层级关系找到上级证书，通过上级证书里的<code>公钥</code>来对服务器的<code>证书指纹</code>进行解密得到<code>签名(sign1)</code>，再通过签名算法算出服务器证书的<code>签名(sign2)</code>，通过对比<code>sign1</code>和<code>sign2</code>，如果相等就说明证书是没有被<code>篡改</code>也不是<code>伪造</code>的。</p>
<img data-src="/2019/12/15/why-https-security/why-https-security-12.png" class>

<blockquote>
<p>这里有趣的是，证书校验用的 RSA 是通过私钥加密证书签名，公钥解密来巧妙的验证证书有效性。</p>
</blockquote>
</li>
</ul>
<p>这样通过证书的认证体系，我们就可以避免了中间人窃取<code>AES_KEY</code>从而发起拦截和修改 HTTP 通讯的报文。</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>首先先通过对 HTTP 中间人攻击的来了解到 HTTP 为什么是不安全的，然后再从安全攻防的技术演变一直到 HTTPS 的原理概括，希望能让大家对 HTTPS 有个更深刻的了解。</p>
<hr>
<p>转载自：</p>
<p><a href="https://segmentfault.com/a/1190000023936425" target="_blank" rel="noopener">mokeyWie - 为什么HTTPS是安全的</a></p>

    </div>

    
    
    
        

<div>
<ul class="post-copyright">
  <li class="post-copyright-author">
    <strong>本文作者： </strong>Ryan Shu
  </li>
  <li class="post-copyright-link">
    <strong>本文链接：</strong>
    <a href="https://notspr.com/2019/12/15/why-https-security/" title="HTTPS 为什么是安全的">https://notspr.com/2019/12/15/why-https-security/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="noopener" target="_blank"><i class="fab fa-fw fa-creative-commons"></i>BY-NC-SA</a> 许可协议。转载请注明出处！
  </li>
</ul>
</div>

        

  <div class="followme">
    <p>欢迎关注我的其它发布渠道</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/picture/weixin.png">
            <span class="icon">
              <i class="fab fa-weixin"></i>
            </span>

            <span class="label">WeChat</span>
          </a>
        </div>

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/HTTP-HTTPS/" rel="tag"><i class="fa fa-tag"></i> HTTP/HTTPS</a>
              <a href="/tags/%E4%BC%A0%E8%BE%93%E5%8D%8F%E8%AE%AE/" rel="tag"><i class="fa fa-tag"></i> 传输协议</a>
              <a href="/tags/SSL/" rel="tag"><i class="fa fa-tag"></i> SSL</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2019/12/03/http-https/" rel="prev" title="HTTP 与 HTTPS 的区别">
      <i class="fa fa-chevron-left"></i> HTTP 与 HTTPS 的区别
    </a></div>
      <div class="post-nav-item">
    <a href="/2019/12/24/http-clan/" rel="next" title="HTTP网络协议族">
      HTTP网络协议族 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#前言"><span class="nav-number">1.</span> <span class="nav-text">前言</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#HTTP-协议"><span class="nav-number">2.</span> <span class="nav-text">HTTP 协议</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#HTTP-协议介绍"><span class="nav-number">2.1.</span> <span class="nav-text">HTTP 协议介绍</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#HTTP-中间人攻击"><span class="nav-number">2.2.</span> <span class="nav-text">HTTP 中间人攻击</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#防止中间人攻击"><span class="nav-number">2.3.</span> <span class="nav-text">防止中间人攻击</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#HTTPS-协议"><span class="nav-number">3.</span> <span class="nav-text">HTTPS 协议</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#HTTPS-简介"><span class="nav-number">3.1.</span> <span class="nav-text">HTTPS 简介</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#CA-认证体系"><span class="nav-number">3.2.</span> <span class="nav-text">CA 认证体系</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#总结"><span class="nav-number">4.</span> <span class="nav-text">总结</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Ryan Shu"
      src="/picture/avatar.jpg">
  <p class="site-author-name" itemprop="name">Ryan Shu</p>
  <div class="site-description" itemprop="description">全栈 | 硬件 | 篮球 | 游戏</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">40</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">34</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">82</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/sususama5555" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;sususama5555" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:876324872@qq.com" title="E-Mail → mailto:876324872@qq.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://weibo.com/u/5330189327" title="Weibo → https:&#x2F;&#x2F;weibo.com&#x2F;u&#x2F;5330189327" rel="noopener" target="_blank"><i class="fab fa-weibo fa-fw"></i>Weibo</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://steamcommunity.com/profiles/76561198294148424/" title="steam → https:&#x2F;&#x2F;steamcommunity.com&#x2F;profiles&#x2F;76561198294148424&#x2F;" rel="noopener" target="_blank"><i class="fab fa-steam fa-fw"></i>steam</a>
      </span>
      <span class="links-of-author-item">
        <a href="/atom.xml" title="RSS → &#x2F;atom.xml"><i class="fa fa-rss fa-fw"></i>RSS</a>
      </span>
  </div>
  <div class="cc-license motion-element" itemprop="license">
    <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" class="cc-opacity" rel="noopener" target="_blank"><img src="/images/cc-by-nc-sa.svg" alt="Creative Commons"></a>
  </div>


  <div class="links-of-blogroll motion-element">
    <div class="links-of-blogroll-title"><i class="fa fa-link fa-fw"></i>
      友情链接
    </div>
    <ul class="links-of-blogroll-list">
        <li class="links-of-blogroll-item">
          <a href="http://ddoudou.xyz/" title="http:&#x2F;&#x2F;ddoudou.xyz" rel="noopener" target="_blank">豆豆的博客</a>
        </li>
    </ul>
  </div>

      </div>

      <!-- 音乐播放器 -->
      
           <div>
              <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="210" height="110" src="//music.163.com/outchain/player?type=2&id=4226232&auto=1&height=66"></iframe>
           </div>
      

      <!-- 滚动条 -->
        <div class="back-to-top motion-element">
          <i class="fa fa-arrow-up"></i>
          <span>0%</span>
        </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        
  <div class="beian"><a href="https://beian.miit.gov.cn/" rel="noopener" target="_blank">粤ICP备20063016号-2 </a>
  </div>

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Ryan Shu</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
      <span class="post-meta-item-text">站点总字数：</span>
    <span title="站点总字数">180k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
      <span class="post-meta-item-text">站点阅读时长 &asymp;</span>
    <span title="站点阅读时长">2:44</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/pjax/pjax.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js"></script>
  <script src="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/lozad@1/dist/lozad.min.js"></script>

<script src="/js/utils.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>

<script src="/js/bookmark.js"></script>

  <script>
var pjax = new Pjax({
  selectors: [
    'head title',
    '#page-configurations',
    '.content-wrap',
    '.post-toc-wrap',
    '.languages',
    '#pjax'
  ],
  switches: {
    '.post-toc-wrap': Pjax.switches.innerHTML
  },
  analytics: false,
  cacheBust: false,
  scrollTo : !CONFIG.bookmark.enable
});

window.addEventListener('pjax:success', () => {
  document.querySelectorAll('script[data-pjax], script#page-configurations, #pjax script').forEach(element => {
    var code = element.text || element.textContent || element.innerHTML || '';
    var parent = element.parentNode;
    parent.removeChild(element);
    var script = document.createElement('script');
    if (element.id) {
      script.id = element.id;
    }
    if (element.className) {
      script.className = element.className;
    }
    if (element.type) {
      script.type = element.type;
    }
    if (element.src) {
      script.src = element.src;
      // Force synchronous loading of peripheral JS.
      script.async = false;
    }
    if (element.dataset.pjax !== undefined) {
      script.dataset.pjax = '';
    }
    if (code !== '') {
      script.appendChild(document.createTextNode(code));
    }
    parent.appendChild(script);
  });
  NexT.boot.refresh();
  // Define Motion Sequence & Bootstrap Motion.
  if (CONFIG.motion.enable) {
    NexT.motion.integrator
      .init()
      .add(NexT.motion.middleWares.subMenu)
      .add(NexT.motion.middleWares.postList)
      .bootstrap();
  }
  NexT.utils.updateSidebarPosition();
});
</script>




  
  <script data-pjax>
    (function(){
      var canonicalURL, curProtocol;
      //Get the <link> tag
      var x=document.getElementsByTagName("link");
		//Find the last canonical URL
		if(x.length > 0){
			for (i=0;i<x.length;i++){
				if(x[i].rel.toLowerCase() == 'canonical' && x[i].href){
					canonicalURL=x[i].href;
				}
			}
		}
    //Get protocol
	    if (!canonicalURL){
	    	curProtocol = window.location.protocol.split(':')[0];
	    }
	    else{
	    	curProtocol = canonicalURL.split(':')[0];
	    }
      //Get current URL if the canonical URL does not exist
	    if (!canonicalURL) canonicalURL = window.location.href;
	    //Assign script content. Replace current URL with the canonical URL
      !function(){var e=/([http|https]:\/\/[a-zA-Z0-9\_\.]+\.baidu\.com)/gi,r=canonicalURL,t=document.referrer;if(!e.test(r)){var n=(String(curProtocol).toLowerCase() === 'https')?"https://sp0.baidu.com/9_Q4simg2RQJ8t7jm9iCKT-xh_/s.gif":"//api.share.baidu.com/s.gif";t?(n+="?r="+encodeURIComponent(document.referrer),r&&(n+="&l="+r)):r&&(n+="?l="+r);var i=new Image;i.src=n}}(window);})();
  </script>




  
<script src="/js/local-search.js"></script>













    <div id="pjax">
  

  

    </div>
</body>
</html>
